fix: If not deleting, update with empty CA alias then delete

[hawksight]

Attempt to fix #75 - Very much WIP.

[snyk-io]

🎉 Snyk checks have passed. No issues have been found so far.

✅ security/snyk check is complete. No issues have been found. (View Details)

✅ license/snyk check is complete. No issues have been found. (View Details)

✅ code/snyk check is complete. No issues have been found. (View Details)

[hawksight]

So this does actually delete the application... but I've got some errors to resolve:

helm_release.firefly: Destroying... [id=firefly]
tlspc_service_account.agent: Destroying... [id=a258091b-4539-11f0-b5df-927859466e6c]
tlspc_service_account.issuer: Destroying... [id=a25bd4b6-4539-11f0-b5df-927859466e6c]
helm_release.tlspk-config: Destroying... [id=tlspc-cluster-issuer]
tlspc_service_account.agent: Destruction complete after 1s
tlspc_service_account.issuer: Destruction complete after 1s
tlspc_application.app: Destroying... [id=a2317cd0-4539-11f0-9f95-a11359f95937]
helm_release.firefly: Destruction complete after 4s
helm_release.tlspk-config: Destruction complete after 5s
helm_release.venafi-enhanced-issuer: Destroying... [id=venafi-enhanced-issuer]
helm_release.approver-policy-enterprise: Destroying... [id=approver-policy-enterprise]
helm_release.venafi-enhanced-issuer: Destruction complete after 3s
helm_release.approver-policy-enterprise: Destruction complete after 4s
helm_release.venafi-connection: Destroying... [id=venafi-connection]
helm_release.venafi-connection: Destruction complete after 1s
kubernetes_secret.pull-credentials: Destroying... [id=venafi/venafi-image-pull-secret]
kubernetes_secret.pull-credentials: Destruction complete after 0s
tlspc_registry_account.oci: Destroying... [id=a22a90de-4539-11f0-ae80-16bd14caa76a]
tlspc_registry_account.oci: Destruction complete after 0s
╷
│ Warning: Helm uninstall returned an information message
│
│ These resources were kept due to the resource policy:
│ [CustomResourceDefinition] certificaterequestpolicies.policy.cert-manager.io
│
╵
╷
│ Warning: Helm uninstall returned an information message
│
│ These resources were kept due to the resource policy:
│ [CustomResourceDefinition] venaficonnections.jetstack.io
│
╵
╷
│ Warning: Helm uninstall returned an information message
│
│ These resources were kept due to the resource policy:
│ [CustomResourceDefinition] venaficlusterissuers.jetstack.io
│ [CustomResourceDefinition] venafiissuers.jetstack.io
│
╵
╷
│ Warning: Applied changes may be incomplete
│
│ The plan was created with the -target or the -exclude option in effect, so some changes requested in the configuration may have been ignored and the output values may not be fully updated. Run the following
│ command to verify that no other changes are pending:
│     tofu plan
│
│ Note that the -target and -exclude options are not suitable for routine use, and are provided only for exceptional situations such as recovering from errors or mistakes, or when OpenTofu specifically suggests to
│ use it as part of an error message.
╵
╷
│ Error: Error Deleting Application
│
│ Could not delete Application ID a2317cd0-4539-11f0-9f95-a11359f95937: Failed to delete certificate template; response was: {"errors":[{"code":20226,"message":"Unable to delete the application
│ \"tiger-response-tlspk\" as it will impact the following related resources. Please reassign or remove all related resources to proceed:
│ SERVICE_ACCOUNT(a258091b-4539-11f0-b5df-927859466e6c)","args":["tiger-response-tlspk","SERVICE_ACCOUNT(a258091b-4539-11f0-b5df-927859466e6c)"]}]}
╵
╷
## --------- Fix below. Above is the regular error I could suppress if fixing --------- ##
│ Error: Value Conversion Error
│
│ An unexpected error was encountered while verifying an attribute value matched its expected type to prevent unexpected behavior or panics. This is always an error in the provider. Please report the following to
│ the provider developer:
│
│ Expected framework type from provider logic: types.MapType[basetypes.StringType] / underlying type: tftypes.Map[tftypes.String]
│ Received framework type from provider logic: types.MapType[!!! MISSING TYPE !!!] / underlying type: tftypes.Map[tftypes.DynamicPseudoType]
│ Path: ca_template_aliases

Which means I have the app left in resources but it is actually deleted.

│ Expected framework type from provider logic: types.MapType[basetypes.StringType] / underlying type: tftypes.Map[tftypes.String]
│ Received framework type from provider logic: types.MapType[!!! MISSING TYPE !!!] / underlying type: tftypes.Map[tftypes.DynamicPseudoType]
│ Path: ca_template_aliases
╵
➜  gke-tlspc-provider git:(pf/firefly) ✗ tofu state ls
data.google_client_config.default
data.tlspc_ca_product.built_in_ca
data.tlspc_user.team_owner
google_compute_network.default
google_compute_subnetwork.default
google_container_cluster.default
google_container_node_pool.pool-1
google_service_account.nodes
helm_release.cert-manager
helm_release.venafi-agent
kubernetes_namespace.tlspk
kubernetes_secret.firefly-credentials
tls_private_key.rsa-key
tlspc_application.app
tlspc_firefly_config.ff_config
tlspc_firefly_policy.ff_policy
tlspc_firefly_subca.subca
tlspc_service_account.firefly
tlspc_team.firefly_team
tlspc_team.team

So process works, just need to change the flow to remove error and clean up the TF resource.

[hawksight]

@aidy I'd appreciate your experience to find the glaring holes in this logic. This is mostly copy paste from the update function into the delete function with some tweaks to the inputs.

I've tested a couple times and it sometimes working. Could use a pointer or two I think.
Eg, this is intermittent:

│ Error: Value Conversion Error
│
│ An unexpected error was encountered while verifying an attribute value matched its expected type to prevent unexpected behavior or panics. This is always an error in the provider. Please report the following to
│ the provider developer:
│
│ Expected framework type from provider logic: types.MapType[basetypes.StringType] / underlying type: tftypes.Map[tftypes.String]
│ Received framework type from provider logic: types.MapType[!!! MISSING TYPE !!!] / underlying type: tftypes.Map[tftypes.DynamicPseudoType]
│ Path: ca_template_aliases
╵

Looking again, maybe all the logic / subsequent calls should be in here?
https://github.com/jetstack/terraform-provider-tlspc/blob/main/internal/tlspc/tlspc.go#L852

[aidy]

I'd hazard a guess that your problem is here, you don't have a fully instantiated plan - just an otherwise empty applicationResourceModel with the ID attribute set, and so it might be failing whatever schema validation checks that are in State.Set.